This is my collection of detective and mitigating security controls as it results from personal research. The general idea is to classify these controls into categories and rank them so that they can be applied selectively in any corporative environment. As the list grows, I will develop a framework that will encapsulate everything in a table. Eventually this will also be retrievable in JSON format.


Topic: represents the short description of the threat that requires a security control in order to reduce risk of exposure in your network. Criticality: how critical (urgency/severity) the security control that mitigates the threat is for any organization. The scores are: low, medium, high, critical. IDS: Implementation Difficulty Score, a simple measure of the effort involved into implementing proper security controls for this threat. The scores hare: easy, medium, hard, very hard. TTP Cagetorization: A broad schema to classify the threat type.

Threat Protection Stack Table v0.1

Topic Criticality IDS TTP Categorization References
DDE Microsoft Office weaponization High Easy Category: Defense Evation

Sub-Category: Weaponized Document.

MITRE: Exploitation of Vulnerability T1068
Prevent lateral movement I Critical Very Hard Category: Lateral Movement, Credential Access

Sub-Category: Pass the Hash, Pass the Ticket, Credential Dumping.

MITRE: Exploitation of Vulnerability T1068

Protect Against DDE Microsoft Office weaponization techniques

There are two essential controls:


  • Disable Automated Link Update from Office apps


  • Use this YARA rule
  • Create a new rule using your EDR solution that draws on the patterns for the YARA rule


  • To mitigate DDE by disabling Automated Link Updates:
  • DDE Protocol:
  • Yara Rules:
  • McAfee Advisory:

Prevent credential harvesting and lateral movement in AD Environment

Security Controls: Mitigative, Detective.


  • Apply Active Directory administrative tier model on your environment.


  • WIP


  • Great article by Microsoft: